Microsoft has been bundling a password manager that features a dangerous flaw with some versions of Windows 10, a Google security researcher has revealed. Tavis Ormandy noticed that his copy of Windows 10 included Keeper, which he had previously found to be injecting privileged UI into pages.The version that Microsoft was including with Windows 10 featured the same bug. What does this mean? In short, it allows any website to steal passwords from you.
Keeper was included in some Windows 10 installations as a browser plugin, and it included the very same vulnerability that Ormandy had reported nearly a year and half earlier. With little more than a couple of very easily implemented tweaks, he found that it was possible to steal passwords that are stored within Keeper.
Ormandy shared details of the vulnerability on Twitter:
I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn’t take long to find a critical vulnerability. https://bugs.chromium.org/p/project-zero/issues/detail?id=1481 …
I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called “Keeper” is now installed by default. I’m not the only person who has noticed this:
I assume this is some bundling deal with Microsoft. I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.
Having been made aware of the problem, the developers of Keeper issued a patch within 24 hours, saying:
This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension.
There have been no reports of the vulnerability having been exploited.